Analysis Overview
SHA256
a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Threat Level: Likely malicious
The file file01.vbs was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (15054) files with added filename extension
Renames multiple (24556) files with added filename extension
Drops file in Drivers directory
Possible privilege escalation attempt
Boot or Logon Autostart Execution: Print Processors
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Checks computer location settings
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 15:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 15:42
Reported
2024-10-11 15:44
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Renames multiple (15054) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\battc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\portcls.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\cdrom.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\agilevpn.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dxg.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vdrvroot.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ULIAGPKX.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\cdrom.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\GAGP30KX.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\acpipmi.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\BrFiltUp.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ipfltdrv.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\stream.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\ndis.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usb8023.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\BrSerIb.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pscr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\HdAudio.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\isapnp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\AGP440.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mpio.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\wdf01000.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\tpm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\tsusbflt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\acpi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\portcls.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\RNDISMP.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\acpi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\usbport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\tpm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vwifibus.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\ndiscap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\modem.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\mountmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\amdide.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\hidbth.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\ohci1394.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\rdvgkmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\parport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\partmgr.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\pcmcia.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\scsiport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\mpio.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\HpSAMD.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msdsm.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\serial.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\volsnap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\sermouse.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dmvsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\serscan.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\battc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\kbdhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\srv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\IPMIDrv.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\disk.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\appid.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\intelppm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\amdppm.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\bxvbda.sys.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Key Management Service.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Media Center.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\OAlerts.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Setup.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\System.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\es-ES\efssvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\interop.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA0.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\dsprop.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\localspl.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ6200.CFG.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\netvsc60.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\usb.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\dot3gpclnt.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\localui.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\iscsiexe.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\mimefilt.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\it-IT\privacy.rtf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\en-US\PSCRIPT5.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYEP510D.PPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml405.gpd.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\hpowiav1.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\fveprompt.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\objsel.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\NlsData004b.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\Dot4Prt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\netr28ux.inf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\PRNEP003.CAT.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYPS51DN.GDL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\uxtheme.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\BioCredProv.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\wlancfg.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\KBDGR.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wlanhlp.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\wvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\es-ES\CNBBR311.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\ja-JP\win32_tpm.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\route.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\raschap.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\uicom.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\dsprop.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\montr_ci.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7300t.gpd.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\mimefilt.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\ja-JP\HPFIME50.DLL.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\ESENT.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\ndisuio.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\ipsecsnp.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\drt.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\fdrespub.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\SmiEngine.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\netvwififlt.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\verifier.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\SmartcardCredentialProvider.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\es-ES\hp8500nt.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGJ7E.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\prnsa002.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\DfrgUI.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\Netplwiz.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\NetworkMap.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\capiprovider.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\Licenses\_Default\ProfessionalE\license.rtf.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRD9040N.GPD.bat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 268 wrote to memory of 2224 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 268 wrote to memory of 2224 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 268 wrote to memory of 2224 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2224 wrote to memory of 2488 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2224 wrote to memory of 2488 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2224 wrote to memory of 2488 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2224 wrote to memory of 2696 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2224 wrote to memory of 2696 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2224 wrote to memory of 2696 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
Network
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 15:42
Reported
2024-10-11 15:44
Platform
win10v2004-20241007-en
Max time kernel
99s
Max time network
124s
Command Line
Signatures
Renames multiple (24556) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\UMDF\ja-JP\SensorsHid.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\percsas3i.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\USBAUDIO.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pci.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\hidbth.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\bthenum.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\en-US\wpdmtpdr.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\srv2.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mlx4_bus.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\usbhub.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\sdstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\modem.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\i8042prt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\sdbus.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\cmimcext.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ipt.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mpsdrv.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mup.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\volsnap.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\mgtdyn.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\es-ES\SensorsCx.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\MegaSas2i.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rasacd.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rdbss.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\usbehci.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vwifibus.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\PktMon.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\kdnic.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msquic.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\SerCx.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\storvsc.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\synth3dvsc.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\USBHUB3.SYS.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\dxgmms2.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\kbdhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\wacompen.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\tunnel.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\filetrace.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hidclass.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\pnpmem.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\IndirectKmd.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\iorate.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fs_rec.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\wof.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mrxsmb.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\nwifi.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\winnat.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\fltmgr.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msiscsi.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pcmcia.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\scfilter.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\usbstor.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\kbdhid.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\rfxvmt.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\disk.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hwpolicy.sys.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ataport.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\luafv.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\PktMon.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\modem.sys.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Setup.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx.bat | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\spp.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\tr-TR\cdosys.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSMinusHeadless-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\reset.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\WLanHC.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\pla.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\dwminit.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\xusb22.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\dinput8.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\SystemEventsBrokerClient.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\SrpUxNativeSnapIn.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\EditionUpgradeManagerObj.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\AudioHandlers.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\SensorsClassExtension.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\c_fscfsmetadataserver.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\GamePanel.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\MbaeApi.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\netnwifi.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\netirda.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\hlink.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\mciqtz32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\sdchange.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\AppxPackaging.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\el-GR\comctl32.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\msimsg.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\de-DE\NetEventPacketCapture_Uninstall.mfl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\43341b0rtecdc.bin.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\F86486D9CF3E1F9110E273C9DAEE8246.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\sdrsvc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\MPG4DECD.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\qdvd.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\EventViewer_EventDetails.xsl.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\hgcpl.dll.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\dwmcore.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\mscms.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Speech_OneCore\common\fr-FR\VES-SeeItSayIt.040c.grxml.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\BF7BF74A57B2030A3BB9979E14C311F1.mof.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\KBDRU1.DLL.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\twext.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\gpscript.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\nslookup.exe.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\dot3msm.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\WWanHC.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\arcsas.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\cngcredui.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\sendmail.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\Microsoft.Bluetooth.UserService.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\c_smrdisk.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\aadWamExtension.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\compstui.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\pcbp.rs.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\setupapi.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\usbprint.inf_loc.bat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\wosc.dll.mui.bat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3232 wrote to memory of 2280 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 3232 wrote to memory of 2280 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2280 wrote to memory of 4640 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2280 wrote to memory of 4640 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2280 wrote to memory of 4092 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2280 wrote to memory of 4092 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\* /grant everyone:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |